One problem I see is that if User 1 somehow obtains a url to a view that displays an object owned by User 2. User 1 will be able to view User 2's object. I'll have to write code in every view function that displays user-owned data to make sure that the user actually has permission to view it.
On Tuesday, April 17, 2012 11:20:09 AM UTC+2, bruno desthuilliers wrote: > > On Apr 17, 8:07 am, Mike <[email protected]> wrote: > > In my app I need a way to associate objects with a specific user. Users > > should not have access to other users objects. I'm implementing this in > my > > model by setting a ForeignKey to the user that owns the object: > > > > owner = models.ForeignKey(User) > > > > Is this a bad idea? > > Seems quite sensible for the use case you describe. > > > Can someone explain under what circumstances I would > > need to use a row level permissions app? > > Row level permissions are useful when you have a more complex (and > possibly dynamic) scheme - a common example would be a CMS with public > and restricted areas, per-area admins and a validation/publication > worflow. > > -- You received this message because you are subscribed to the Google Groups "Django users" group. To view this discussion on the web visit https://groups.google.com/d/msg/django-users/-/9tlITj8FOu8J. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
